Limit User Access to the Destinations Page and Its Options

By default, the BackupBuddy -> Destinations page is only accessible for Administrators. As that is the most secure Role that WordPress offers. And WordPress assumes that the owner of the site assumes all administrators are trustful.

Though there are possible options to limit access to the Destinations and/or some of its options. The first option is that most (but not all) of the remote destinations have the ability to disable file management. File management allows the user to view and access the backups that are stored in that specific remote destination.

 

disable_file_mgmt.png

To disable file management, please go to the BackupBuddy -> Destinations page. Then find the remote destination you would like to adjust. To the right of the name of the remote destination, "My Dropbox" for example, please click the gear-icon. From there you will see the "Destination Settings". Look toward the bottom for "Advanced Options" and click that. Some more options should appear. Locate the "Disable file management" option and to the right of it, please click in the box. Then save the settings.

Please note, once enabled, this cannot be disabled without deleting and recreating the destination.

Some of the destinations have additional options that you can use to make the destination more specific and in some aspects, more secure. For example, with Dropbox destinations, it is possible to set up the Dropbox destination so each site sends to its own directory. That's what the optional "Directory" setting is when you are creating a Dropbox remote destination (or editing an existing one in BackupBuddy's Remote Destination page then click the gear wheel for the remote destination in question to get to its configuration settings).

When creating an Amazon S3 remote destination, we have a guide that will walk you through setting up separate IAM accounts for each client: https://help.ithemes.com/hc/en-us/articles/211129517-Amazon-S3
You can customize which actions the user is allowed to perform in the policy as well as which resource (bucket/directory combo) to grant said access to.

Regarding Amazon IAM, your best resource for understanding how to use this is Amazon itself, as their documentation will be complete and up to date. We suggest a starting point here: http://aws.amazon.com/iam/ and also when you are logged in to your Amazon management console you will be able to get additional help. The Amazon forum(s) would also be a good source of information - these are accessible through the Amazon AWS portal.

For FTP destinations, when using the same type of destination for multiple sites where you wish to maintain some separation between those sites we would recommend that you at least create different directories for each site. For greater isolation, you can create multiple FTP users each and a directory per user and have the FTP login for each user go to the specific directory for that user. Your FTP server host can advise on the various options for creating multiple FTP users and how to assign a specific directory as the default login directory for the particular FTP user.

Finally, if you want to totally limit access to the BackupBuddy -> Destinations page, there is the option of using a WordPress plugin to limit what an Administrator can access:
https://wordpress.org/plugins/advanced-access-manager/
https://wordpress.org/plugins/admin-menu-editor/ (We've actually seen a few BackupBuddy sites use this one.)
https://wordpress.org/plugins/wp-access-areas/
https://wordpress.org/plugins/s2member/
https://wordpress.org/plugins/user-role-editor/

 

 

Powered by Zendesk